package com.bjpowernode.shop.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;

/*
   资源服务器：设置资源的放行与拦截的规则
      放行的资源：actuator(健康检查)、druid(德鲁伊的数据库监控)...
      拦截的资源：所有请求必须携带令牌才可以被访问
 */
@Configuration
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        /*
           csrf：跨站请求伪造，通过伪造用户请求访问受信任站点的非法请求访问
           关闭 csrf 防护=开启跨域访问：
               跨域：当协议名称、域名或ip地址与当前服务器不一致时，就是跨域的操作，默认是不允许跨域访问的
         */
        http.csrf().disable();
        http.cors().disable();
        http.sessionManagement().disable();
        http.authorizeRequests()
                .antMatchers("/actuator/**")
                .permitAll()
                .anyRequest()
                .authenticated();
    }
}
